July 17, 2009

What does "willful neglect" mean under HITECH/HIPAA?

Well that is anybody's guess at this point but as a privacy lawyer I can assure you that HHS/OCR or CMS will "know it when they see it." I am going to offer up a common sense definition of what this term means.

As I see it "willful neglect" (i.e. what will get you the stiffest penalties for non-compliance under the HITECH Act ) essentially means: "being clueless and/or cavalier about your compliance strategy." OK great thanks, so what does "cluesless and/or cavalier mean?"

Here are some indicators:

All you have are legal documents for patients and/or business associates to sign without the underlying processes to support said documents.

You have legal documents but they do not meet the specific requirements contained in the regulations.

You have no demonstrable evidence that you are training your staff as required by the regulations. When was the last time that the receptionist received training?

You have no plan to show how you are working on full compliance, despite the fact that you are not in full compliance at the moment.

Your have a EHR system running on a local server and the server room is not secured.

Your employees have their passwords on "sticky notes" that are readily visible.

You have not implemented (and have no idea regarding) HHS' guidance for securing protected health information (PHI).

You have no plan for notifying your patients (and potentially the media) when your unsecured PHI has been breached.

In short, given the lax enforcement of HIPAA's Privacy & Security Rules prior to the HITECH Act, I am certain that HHS/CMS are going to have no problem finding instances of "willful neglect"--especially for those unlucky few to be the first ones audited (and BTW audits are now mandatory under HITECH).

Last but certainly not least, if you are not in compliance with HIPAA's rules, you are not going to be paid your incentives under the HITECH Act, since compliance with the rules is now part of the "meaningful use" definition that applies to EHR implementations.